Should Software Developers Be Liable for their Code?

Should Microsoft pay for the billions of dollars of damage that flaws in its software have caused around the world? It might have to, if a new European Commission consumer protection proposal becomes law. Although that sounds an appealing prospect, one knock-on consequence could be that open source coders would also be liable for any damage that errors in their software caused.

A priority area for possible EU action is "extending the principles of consumer protection rules to cover licensing agreements of products like software downloaded for virus protection, games or other licensed content", according to the commissioners' agenda. "Licensing should guarantee consumers the same basic rights as when they purchase a good: the right to get a product that works with fair commercial conditions."

EU consumer commissioner Kuneva said that more accountability for software makers, and for companies providing digital services, would lead to greater consumer choice.

Now, you might think this is yet another case of Eurocrats gone mad, but they're not alone in believing that those who write software should take responsibility for it. No less a person than the security guru Bruce Schneier is also a big fan of the idea:

There's no other industry where shoddy products are sold to a public that expects regular problems, and where consumers are the ones who have to learn how to fix them. If an automobile manufacturer has a problem with a car and issues a recall notice, it's a rare occurrence and a big deal – and you can take you car in and get it fixed for free. Computers are the only mass-market consumer item that pushes this burden onto the consumer, requiring him to have a high level of technical sophistication just to survive.

...

The key to fixing this is software liabilities. Computers are also the only mass-market consumer item where the vendors accept no liability for faults. The reason automobiles are so well designed is that manufacturers face liabilities if they screw up. A lack of software liability is effectively a vast government subsidy of the computer industry. It allows them to produce more products faster, with less concern about safety, security, and quality.

Cox said that it would be difficult to make open-source developers liable for their code because of the nature of open-source software development. As developers share code around the community, responsibility is collective. "Potentially there's no way to enforce liability," he said.

The key to understanding this is that this sort of contractual liability is part of a contract, and with free software -- or free anything -- there's no contract. Free software wouldn't fall under a liability regime because the writer and the user have no business relationship; they are not seller and buyer. I would hope the courts would realize this without any prompting, but we could always pass a Good Samaritan-like law that would protect people who distribute free software. (The opposite would be an Attractive Nuisance-like law -- that would be bad.)

There would be an industry of companies who provide liabilities for free software. If Red Hat, for example, sold free Linux, they would have to provide some liability protection. Yes, this would mean that they would charge more for Linux; that extra would go to the insurance premiums. That same sort of insurance protection would be available to companies who use other free software packages.

So, where do you stand on the issue? Do you think introducing liability for software would be a great way to force Microsoft to pay for all the damage its software has caused, and to start writing some really secure code, or would it lead to terrible problems for those producing free software, and stunt the uptake of open source? Would the European Commission's proposal be a blessing or a blight?

Comment viewing options

It wont do any good at all. Comparing the auto-mobile industry to the computer industry is an epic fail.

A car is developed as 'closed entity'. Every nut & bolt going in there, every piece of software, every transistor, each cpu, EVERYTHING that makes up a certain brand and model of a car is completely fixed. Under those conditions you can hold them liable for mistakes.

Computers are different.. I can end up with the same specifications in so many ways it would make your head hurt. Some of these hardware combinations are common, some are not.
Some go well together, others dont. Software is by the proposed standard expected to be magical and know beforehand what hardware in the future will act like. On top of that you expect software companies to test their product on all possible hardware combinations before going to market.

And please make a decent case first ... how did MS cost millions of dollars damage ? Because of faulty IT strategies from the ppl using those products or because MS fucked up again ? Be honest.
Kill MS for their licensing system, for never releasing something that feels finished, for making arrogant assumptions and what not, but not for stupid mistakes made by IT managers who dont feel popular when they have to budget a shitton of money for something almost noone ever needs.

When that car manufacturer we started off with starts to provide service to home-modded cars, with it's engine bored and god knows what other stupid shit one does with a car can be held liable for all that user inflicted horror, then you'd have a case.

It is not possible to give a 100% guarantee, or even approach that value, as what we do with our computers, what we run on it, their hardware, the way they interact with more and more devices etc. will change every day. Unless the EU committee designs a self-maintaining code patern, this wont happen.

There's another big difference here too. In the cash for goods environment, software companies like microsoft are legendary at absolving themselves of as much responsibility as possible, but at the same time, pursue a monopolistic business model that swallows up, or crushes smaller operators. So any reference we make to litigation, or potential liability is usually considered with MS in mind. MS have also, as part of that same business model, gleefully raided patent and after patent, and closed the door on a lot of fine development, tying the ideas and potential behind the profit to be had in licensing.

Add to that the protectionism that is bribes, legal, or economic intimidation, of HW manufacturers to limit software framework to one or two OSs' where possible, and the idea of a 'standard' definable in law, and subject to legal scrutiny, becomes all the more appealing for the consumer.

It's no secret that a lot of computer users since the '80s have been economically 'engineered' into accepting a much lower standard of quality and reliability than other industries, and the continuing reluctance of governments to address this smacks of political fear, and/or, corporate persuasion of some sort or other.

In our fine Open Source community, no such official relationship exists. For the common user, who takes on linux, and enjoys the experience free of the closed source lobotomy, it's clearly understood that the relationship between developer and user is a mutual one, or not, decided by both, and with the freedom of choice we hold so dear. For distros like Ubuntu, the relationship can ALSO be one of monetary transaction, through business services, etc.., so they will, or have, taken steps to ensure their continued viability, ergo, a business model that requires a certain standard, and within a legally protectable framework.

I don't think such legislation would be a bad thing, if we could ensure that the line is clearly drawn between not only closed and open source, but "open source corporate, and open source community". It's this definition that the commission needs to consider very carefully indeed.

And like it or not, HW manufacturers who help us chaps by contributing drivers to linux systems, need protection too, in an equal handshake agreement. If a HW manufacturer opens his technology, and provides, or in conjunction with linux development communities, helps to develop opensource community drivers, and software, then they should be protected from any sort of catch all law that seeks to nail 'em when the driver still isn't quite right.
There may well be an upside to this for linux users in the HW manufacturers realising that by providing robust drivers for linux, in a non litagory environment, they stand to gain a much bigger market share than they currently perceive. But we have to meet them halfway, and give them the input that convinces them working with our community can have financial benefits for their businesses, as well as a natural development arena for new ideas.
to
For opensource to be as protected as possible, it makes sense to strengthen the relationship between developer and user even more, in a mutual partnership that raises the standard and usability of software by shared consent, and in doing so, defines common standards that help stabilise, and nurture as bug free a working system as possible. FOSS developers are volunteers in the main, and that's the message we constantly hear, but i think, in a way, that's contempuous, and rather dismissive of many developers pursuit of excellence. I've met some great devs, who are keen to go the extra 10%, and build an app that runs well, to a high standard.

Those people most of all, are the ones who need protecting from any legislation, and the freedom to continue developing new ideas, and an ever increasing standard of excellence.

The upside of THIS approach is it raises the bar, including putting pressure on closed source profit based free of responsibility operations, as many linux developers have been successfully doing, for quite some time.

In addition to this law, i'd add a new one, that makes the transfer, or trade, in patents, illegal. No patent can be bought or sold, and if the author wishes to sign away his rights, tough. This ensures the monopolistic business model can no longer overwhelm the rest, and big companies like MS will have to build better product, and license only that which they can develop in a fairer competitive environment. If a company goes bust, then the patent becomes void, and the failure is examined in a court of law, to ensure the company's failure wasn't a result of brutal and immoral business practise by a competitor. If that competitor is found to be a contributor to the failure, then they are banned from using, applying for, buying, viewing, or through a proxy, allowed to reapply for any patent in place of the original.

It's my view that between these two carefully written legislative models, that protect opensource community developers from undead lawyers trying to make a fast buck, and hold closed source or corporate opensource responsible for their product, we could have a better result all round, that preserves FOSS, and nails those who would foist shoddy software on the public, for profit.

You can go running back to the GPL or FOSS for help, but its not going to help you. Ask TomTom where was the OSF support and backing when the "FOSS hits the fan"??

Again, its not about reliability, its about neglegence, If you write some FOSS code do you put it through a formal software audit? or a design commitee where you go through your code life for line explaining it to a group of fellow programmers who will try to find holes in it. ??

Professional programmers do, they also write code to compliance, they ARE liable for their code and they accept that, just like the electrician accepts liability when he turnes up at your place to wire in a now power point.

Its a common and everyday thing for all of the world, it will be nice to drag FOSS kicking and screaming into the real world.

It's funny how many FOSS people dont even seem to be able to grasp the concept.
It's not that hard. It's not the same as a recall on a car because of a possible manufacturing fault.
Being the same as a patch for software.

It's not.

You are not going to be sent to court for writing bad quality or rubbish code, (otherwise there would be no foss coders left !!).

But you are going to be liable if you are negligent in your work, if by your negligence you cause death, loss or injury you should be liable, just like everyone else in the world.

It does not matter that you do it for free, or are paid, or that you are an amateur or professional. You do something that is or can be proven to be negligent and that causes loss, death or injury your in trouble. (as you should be).

(yea, my friend asked me to fix the brakes on his car, so i emptied out the brake fluid and filled the break lines it with cornflakes, he got in his car, drove down the road and crashed into a tree and died!!!.. but its ok, it's not my fault because I did not charge him for the work I did on his breakes) !!!!!

You don't seem to understand GPL or any other license. When someone buys proprietary software the license functions as a contract between the two parties detailing what each one can do. The entire thing can be simplified to: party 1 pays amount x for software y, party 2 creates and sells software y which deals with problem z. When party 1 is dissatisfied with how well software y deals with problem z, it should be able to demand a refund or that party 2 gets some king of penalty. It's what Schneier tried to explain.

When party 1 tries to use Open Source Software, by using the software they implicitly agree to the license that software comes with, generally GPL.If you read the GPL text you'll find a passage that says "THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ". In other words, even with such a law passed, when party 1 starts using the software, they agree that what they are using could not work at all, that he has been warned. With this as evidence, I don't think and court anywhere in the world could go in favor of a FOSS user demanding money or other thing for the damages he has suffered from an open source software.

What you are talking about is ill intent, if you fill the break lines with cornflakes then your intention was to hurt your friend. This is very different from writing free code with the best of intentions, even if said code fails horribly.

Also, code that is going to be used in life critical applications is not going to be downloaded and then run with no testing at all, no one is that naive. Do you think NASA would pick up parts from the scrap yard and then blindly stuff it in their rockets?

I think the only one who needs to be dragged kicking and screaming into the real world is you.

Most OSI approved licenses (including the GPL2/3) specifically and explicitly explain that there can not be any reasonable expectation of warranty, of any kind. We also have no control over what any given distribution is going to actually _do_ to our software. Perl bug, anyone? Debian entropy belly flop, anyone? Users of free / open source software do NOT like end user license agreements, even if the agreement only reiterates that there is no warranty of any kind.

I don't think this is a cause for concern for your average author, but it may be cause for concern for some distros that take the extra step and sell a warranty. Even still, that really applies only if you have paid for such a service.

The problem is the following straw man argument:

"I bought a toaster, it malfunctioned and my house burned to the ground. That cost me thousands. I paid for a warranty for xyz-program, it malfunctioned and cost my business millions"

1 - Try proving actual damages directly caused by the software. A web server serving poorly written web apps comes to mind. Its not the web server's fault that your coders have no idea what they're doing. Just like, its not the coffee house's fault that you spilled hot coffee on your lap while driving. You can not accurately account for ignorance when writing software.

2 - A program is not a toaster.

The problem is, judges (and juries) tend to be rather technology clueless, metaphors rule this kind of argument.

I'm not going to stop developing open source software just because some crazy legislators in the European Union have found something else new and exciting to do.

Its hogwash. I have not used MS products in 10 years .. however if they get this over turned, I'll happily send them a thank you card. At this point (I know, its odd), I'm happy that their legal arm hates this as much as I do.

You seem to fail to understand what is at stake here: a lot of programs are actually these "toasters" -- embedded devices are part of our everyday life. These contain a software stack just like real computers. Often these devices do rather critical tasks.

Suppose you just bought a shiny new car, and a total stranger comes up to you and says "hey Mister, do you want this great super-charger for your car which btw is free of charge?", and you install that super-charger on the car and the next day the engine blows up. Will you get compensated by the car manufacturer? Very unlikely, since meddling with the engine voids the warranty.

And yet this is what happens every day with computers - people run software from complete strangers which they get via email, CDs, Internet, etc. The fact is, very seldom do bugs in themselves cause a lot of damage; most damage is done by malicious software which is run directly by users.

That's why I don't believe such a law would ever result in compensations being awarded in any court.

In every software, there are critical applications which require heavy testing to insure that there is absolutely no danger in it's use. Cosmetic bugs are innocous such as a spelling mistake in a title, or a spelled word using a foreign dictionary (english canada, usa, austrailia, africa, have many different spellings of similar words).

This guarantee would state that on such and such a hardware configuration, as listed in xxxxx, this version of software dated xxxxx and having md5 hash check performed as to the specifications. Failure to do so gives the user the right to present failure information and to ask for remedial action.

What is failure information (a dump) or a way to duplicate the bug. Remedial would be to fix the faulty code, to repair database defects, or even to compensate a customer because of financial losses.

Of course, the customer would have to sign an agreement that he used the software on the specified hardware, and he tested it for conformity with his business requirements.

* car makers are not required to fix all defects for free. Car makers only need to fix defects which are safety related.
* open source developers can not be held liability for defects in their code because they have no customers. They do not selling their code to anyone.
* independent software developers (contractors) are already being held liability for defects in their code. No independent developer in their right mind will develop code without insurance.
* there are lots of industries other than the software industry which sell shoddy products.

Is what the EU proposing a "good" thing? Hard to say, but the fact that other disciplines, e.g., construction, medicine, manufacturing, are subject to similar rules as those proposed should make those of us in the IT industry sit back for a moment and think about this whole topic.

The proposal is madness; armies upon armies of undead lawyers would get fat on every little bug found in any program where some money can be extorted. It would be abused just like patent laws. It's impossible to produce bug-free software, it would be a lot preferrable if the EU used their funds to promote diversity and true competition in the software market instead of all just buying M$FT and a bit of OpenOffice (which is just as bad) as a fig leaf.

It would be a great opportunity to clean up our domain from people who move in just because of the .com era and the fact that they could make more money than in other places.

Only the true professionals will remain. No more code monkeys, no more b.s. from people who have no clue what software engineering is but they mock it with buzz words that impress high management.

You would not see this kind of non-professionals become physicians or building architects overnight and do the same damage they did to our field.

Only the true professionals who know their business will stay and take the risk.

I truly wish this happens before I retire (next 20 years).
We need this law so people who care about their job can be proud of what they are doing.

Yes, as other people said, in modern times there are ways to ship a solid software product with bugs fixed but because of no responsibility people with power (read managers) decide to ship it anyway, even if they know it has problems.

Software is used in many important applications, but the software industry is still stuck in the 1960s attitude that "software bugs are inevitable/software is closer to art than to engineering/ we are too creative to stick to rigorous quality management or to use mathematical methods as other engineers do". This won't change until software companies are faced with liability for their defects.

Why are we still using programming languages that have weak type systems, and where the meaning of a program is allowed to change every time it is compiled? (Yes, I mean C for example). Because there isn't the incentive to move to more professional tools (SPARK, for instance). Why do we still think that testing a program is the most effective way to show that it does what is required, after 40 years of computer scientists arguing the contrary? Amateurism.

Bad software has killed people and caused billions of dollars of damage, but the lessons are not learnt. In any other branch of engineering, if there is a catastrophic failure, the whole industry learns the lessons and no competent engineer ever makes that mistake again (think Comet, or Tacoma Narrows). Our industry is not short of billion-dollar catastrophes, but no lessons are learnt because the developers get away largely unscathed.

Liability seems essential.

And if you don't trust your skill enough to accept liability, why should anyone risk their life or their company by using your software?

This is really bad. Especially the open source part. I have been contributing to the linux community for quite a while now. If I am held liable I wont develop. Car goes through a set of know tests that you expect would happen in real world. You release the car only if it passes these. But a software could be attacked by many users who might try all sorts of different things. This will mean softwares are to be tested more. They will be released slower as a consequence and they will be costlier. No thank you people I am happy with code with vulnerabilities which gets fixed once in a while by updates.

well no i dont trust my code (neither should others) i know what its supposed to do under normal conditions
but the truth is code will always be flawed
its just a matter of time a hacker catches a buffer overflow and completely play with ur code
if my code fails under normal circumstances like if i say copy and files get deleted then i can be held liable but you can expect me to test some scenarios i cant even dream of

Software written for martian rovers should not fail and should be tested quite extensively but when I want to release a code for general public with a lot of competition its really hard to meet all deadlines and perform extensive testing.

noone is trying to hack the martian rover but people will try to hack my code.

It seems these days that everyone wants some sort of way to sue everyone else for something.

If I buy a piece of software, I make sure I can take it back so that I'm protected for a potential loss. That way if it doesn't work or is horrible, I get my money back. No need to get the government and court systems involved.

In the long run a company that puts out shoddy software that doesn't work isn't going to compete in today's market, so the problem will work itself out eventually.

If we get government too involved, then I can see them "protecting" us by taking away some of our rights and maybe even becoming a roadblock for open source (i.e. government approval before starting a project, fees to pay, licenses that must be purchased to code, etc. etc. etc.) Don't act like it can't become that silly because other areas in life have.

Just another way to shift the blame for shoddy work from "management" (who only care about "cost and schedule") to the developers (who really DO try to do good work).

Let's use the car analogy -- which seems to be popular. You buy a new car, it doesn't "work", you take it back to the dealer -- and they fix it for free. Right?

If "doesn't work" means it won't start, or the lights won't turn on, or the radio won't tune to a station, or the air conditioning only blows hot air -- they yeah, they will fix it.

But ... what if the problem is more subjective -- like, it leans more than you would like it to in a hard turn. So, will they now replace the standard suspension with something more robust, and do that for free? I would doubt it.

That's basically the problem with any software you buy -- the "not work" part is usually subjective. It's too slow, or it's too hard to figure out how to do something, or it doesn't have a particular feature you were hoping it to have.

Let's go so far to say that the app crashed when you launched it. Even then, so what? You really want to hire a lawyer, shell out around $30K to get to litigation, wait years and years while the SW company presses for delay after delay and finally end up in court -- only to get your $200 back?

And, what's to say the the SW company doesn't respond with "Yeah, we found out about that problem too late to fix it prior to release. It was "Bob" who wrote that code -- and we fired him as soon as we found out. So, we're not liable now."

You want developers being fired every time some whiner threatens a lawsuit -- because that's what the SW companies will do, given that alternative vs. a big lawsuit settlement.

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

I think that Microsoft should be held responsible. They put out new software and we suffer with the problems. Microsoft said that is not our fault. It is all their fault. Longer debug times and more debuggers. Fix the problems before you put out the software.

Now holes in security is a different story. If it was put there by the company on purpose then they are held responsible. If there is a security hole that no one knew about and was hacked by a hacker then the Hacker should be held responsible.

That is the whole reason for debugging. To find the holes.

The problem is this. Microsoft has put nothing but bad software out to the public and charges the public to debug it for them. Look at when 95 came out. Problems everywhere. So they try to fix the problems and put out 98 which is 95 with some bugs fixed. The problem was it caused more problems and not all the bugs were fixed. So then out comes NT then XP and Vista. Microsoft puts out trash expecting us to debug it for them and then we pay for it on top of that. If anything they need to put the debugging cycle longer.

I am not a fan of Microsoft. I am not a fan of Mac. I am a fan of Linux. Now talk about bugs.... but I choose to play with the bugs. It is my choice. Just like the Microsoft crowd wants windows regardless of the bugs. There are more hackers out to destroy windows than anyother OS.

I use windows. Only because some things I do is not currently supported by Linux. When it does I will drop windows and Microsoft.

There are just as many bugs in Linux as there is in Microsoft's software. These bugs don't exist because the developers are poor programmers. They exist because of the thousands of different hardware configurations possible with PC's. Apple doesn't have those problems because the configuration of an Apple computer is dictated by Apple. Not just anyone makes products for their computers. Which is more expensive, the Apple or generic PC? Sure, as a software developer myself, I would not have a problem with liability. But, I would spec the exact hardware and software configuration that it was tested with. Anyone outside of that configuration would void the license and liability. In other words, if you were downloading games from the Internet that I did not use during my testing, then out goes the liability. If you didn't have 2GB of RAM as required, then out goes the liability. If your computer was not purchased and configured by me, then out goes the liability. This industry would not last long under such conditions. Also, those of you quoting the license fail to understand that the license agreement as written today would no longer be valid after passage of this law. Get a brain people! SOCIALISTIC EUROPEAN LAWS HAVE NO PLACE IN A FREE SOCIETY!

Okay, guys, anyone read like 3 lines of GPL should see the big, usually all cap, sentence stating explicitly that the software comes with NO warranty whatsoever.

In contrast, EULA of Microsoft buries this fact (well, they do offer like $5 warranty or some joke like that) somewhere in the middle of the forever-long legal document, which is also much much more difficult to read.

What I think EU (and everyone) should do is that to make all software developers to state explicitly whether the software has any warranty and how much that is, how long that is, etc. (in short, how much protection the users have) in the first paragraph (or first 2 or 3 paragraphs) of the license, and that these paragraph must be shown to the users. For Free and Open Source Software, this line ("THIS SOFTWARE COMES WITH NO WARRANTY WHATSOEVER") is usually shown like very time you turn a software one. Look at Microsoft! They lie to their customers, that's the whole point.

A lot of the comments seem to assume that software cannot be foolproof/secured -- or at least not within a suitable price limit.

I disagree.

The biggest problem today is bloat, lack of modularity, and forgetting the KISS principle (Keep It Simple, Stupid).

The software (especially the OS'es and some office applications) is brimfilled with features that very few, if any, need or use. (Picture your commuter car with built in kitchen sink, bathroom, spa, sauna, Olympic swimming pool, and the contents of a minor department store)

The underlying code is worse than a bowl of spaghetti the size of Italy's yearly consumption. A minor change in the northernmost section of the code could have a devastating influence on the workings of the central parts of the code. (Picture a butterfly in Alaska influencing the weather in the rainforest)

The data structures are so complex and convoluted that you need a Major in Topology to untangle anything but the simplest of the simplest. (Picture the Gordian Knot without a proper sword anywhere in sight)

Let's get real, though. The chances that the software industry will change their ways of their own volition are slim, and I, for one, think that liability could help improve thet quality of software.

OK, application A, due to silly programming take down your whole system -- Who do you sue?

The OS developer first, obviously. Had the OS been developed properly, it would have issued a warning that application A did something wrong and prevented the application from doing harm to anything but itself. This prevents any problems of identifying the culprit. Later, when the OS does not go down, but instead issues a proper warning, you can sue the application developer -- now you know the culprit. (OK, I am not quite that naive, but overall this would probably be a good starting point.)

In case of using an OSS solution (assuming that developers of OSS software cannot be held liable), you are out of luck, unless you can actually prove the (assumed paid for) application has a problem.

And yes, I know, there are further complications when application A interacts with application B (from another source) through the OS (from a third source), and variations on that theme.

Ripping off software does indeed bring down margins. But you are completely kidding yourself if you think a shrink-wrap shop is hurting.

First, I write software for a living. A lot of it. All custom. I have worked on everything from embedded aviation controls that require line-by-line verification of stability. To the point that 3rd party binaries are a total no-no. And I now work for a very large e-retailer writing enterprise software.

You see, bad software in case one, results in liability if the plane falls from the sky. In case two, a backed service fails to encrypt your credit card info and because some jack-ass left an open wifi spot, their whole network and your credit-card are compromised. In the best case, you simply get a new card and it's an annoyance. In the worst case you are a victim of rampant identity theft. Does that story sound familiar? It should, that is what happen to TJ Max stores.

In their case, the liability came in contractual form from visa/mastercard. But you the consumer had not one iota of recourse.

In closing, on more ocassions that I can count hacks and prototypes and quick-fixes have made their way into production where such dirty secrets are long forgotten; until your site gets hacked. No, I have been forced many times to write software I thought was of questionable quality. Liability is the answer as it will 1) define 'quality' software because 2) without it you will get your ass sued broke

A few years a go a friend and I were debating the idea of an "out of the box" game. I.e. You buy the game from the store, slot it into your machine and the game just goes. No patching. No registering. You've just brought a product off the shelve and are able to use it.

After a little more probing though, we realised that there are absolutely no checks. I could release a piece of software as a virus scanner while all it does is sit there looking a bit like a brick. So the business model isn't so great - i.e. someone tries my software, realises what it does and recommends to all their friends to avoid the software at all costs (bonzai buddy anyone?). So software doesn't have to do what it's advertised to do. Furthermore, there are always disclaimers about suing for damages done by the software. In otherwords, any piece of software can essentially do anything already existing on your machine and you have absolutely no recourse.

On the other hand, if I went out and sold a gun claiming that it's an automatic broom and it'll clean up your house, and you buy it and you end up with holes in your floor... in the software world - that's fine. You can have all the holes you want. You can't sue me.

I would like to answer the question "Why is software so frequently disappointing and flawed? "

As a developer, there is nothing I would like better than to turn out the highest quality software, as long as I could be compensated for it.

Does anyone really think that the millions of lines of code that went into Windows is worth the piddling $100+ the consumer pays for it?

Let's start with a basic premise: quality is worth money. I'm sure we agree that a Hyundai (or whatever passes for a cheap car in your neighbourhood) costs less than a Porsche or BMW because the Porsche is better designed and better built. Better design means more experienced and brilliant engineers, more talented designers; better built means more skilled and dedicated assembly-line workers. All these people demand more money. Hence the Porsche company commands a higher price for their Carreras, 911s, whatever.

The same should be true of software. If a company invests great care in desiging a better operating system, or a better word processor, that never crash, and always have helpful help and meaningful error messages, how much do you think that would be worth? I'll give you a hint: the military do in fact get top-quality software for their jets and rockets. They get software that almost never fails, and does exactly what it is designed to do.

Do you know how much this software costs? $50 per line of code.

Translating into everyday terms, a bullet-proof operating system would cost you, at a rough guess, $5,000 per copy.

Now I have no doubt some people would be happy to pay $5,000 for a stable OS. However, there are many people who couldn't afford this amount.

So what would happen? In any other field (automobiles, stereos, TVs, restaurant meals, housing) people who can't afford quality just put up with less and shut up.

But in the software field... well, they just make a copy of someone else's software, and enjoy the full benefit of top-of-the-line quality, without paying for it. I wager even you couldn't resist obtaining a $5,000 OS for free.

How long do you think a software company would last if their product cost millions to make, and they only sold a few copies at $5,000? Why they would go broke, of course.

This is the crux of the software dilemna: except in a few specialized cases (commercial or embedded software), the maximum price for software is the monetary equivalent of the nuisance value of duplicating it.

In consumer software, this is in the range of $19-$29.

The digital world turns the economics of quality upside-down: in traditional models where quality is supported by price, the market pays the price if it wants the quality.

In the digital model, a perfect copy of the merchandise costs virtually nothing, and undercuts the legitimate market, putting a cap on the maximum that can be charged for a product.

There is a built-in limit to how much time, effort and expense a company can invest into a mass-produced product. This cap is equivalent to the "nuisance value" defined above. It is not reasonable for the consumer to expect warranties and liabilities that go way beyond what the manufacturer receives from sales of the product.

The music and movie industry are wrestling with the consequences of easy digital duplication. They have taken a different route to protecting their intellectual property.

I challenge anyone to come up with a business model where the software developer that invests great expense in building a quality product, can obtain full compensation from the market segment that values his quality.

Whose fault is it anyway? Simple: it's the consumer who copies and pirates software that forces the price down and therefore the quality to remain low. Any analysis that does not take this into account is simplistic.

It is naïve to think that most developers are not struggling to make ends meet and stay in business (Microsoft notwithstanding).

The advent of Web- and subscription-based software models promises to turn things around by making it impractical to copy software. Time will tell.

"...I'll give you a hint: the military do in fact get top-quality software for their jets and rockets. They get software that almost never fails, and does exactly what it is designed to do.

Do you know how much this software costs? $50 per line of code.

Translating into everyday terms, a bullet-proof operating system would cost you, at a rough guess, $5,000 per copy.

Now I have no doubt some people would be happy to pay $5,000 for a stable OS. However, there are many people who couldn't afford this amount."

Are you saying that a bullet proof full os would consist of, like 100 lines of code?

No, no and no. The reason that the military code is like 50$/loc, is that it has one buyer. How do you think Bill Gates became the most wealty person ever? By not selling the operating system once, but a permission to use one he owns all the rights, like a billion times. And Windows is not like 100$, it's like 300$. The cheaper versions are just hacked with an axe, because a lot of people want their software cheap, and Microsoft does not want to give a full Windows for peanuts. You do know that for a server Windows you need to pay, like 1000$ if you don't need too many features? There is strength in numbers.

I, of course, use Linux-based systems.

How can software be so flawed? Because then they can sell you another one.

If you don't want me to use Linux as an example because there are some big companies paying for it's development, how about Free/Open/NET/Whatever... -BSD? It has such a reputation that it's even safer than Linux is, it can easily run the same software that Linux runs, and it is being developed by people who love programming, who release when they are ready, and who may or may not get a penny for it.

They are hobbyists, just as Linux is, or was if that's how one wants to look at it. Of course a lot of them also are hardcore-professionals, who just want to have a quality computer experience.

Piracy does not have a lot to do with those prices, competition does. Microsoft has to sell XP cheap for netbooks, because Linux made that market possible. Games are cheap because there are other games they need to be priced about same with, and there are free games consumers would play if they would need to pay 4k$ for a game. Consumer goods are cheap, and that's that. There are also professional software, like Maya or Autocad or Photoshop, but a normal consumer can and will not pay those prices. Also there are good free (in many senses) software which are often even better than these "professional" programs. You can't get a licence for Maya for 1000$, but you can get Blender 3D for free. Here is a comparison table for you: http://www.tdt3d.be/articles_viewer.php?art_id=99

That table is old and dated, Blender has gone trough lot of chances. Hollywood uses Blender quite often, like for Spiderman movies. Would you pay that premium? What if I told you you only get a permission to use for proprietary Maya, but you can do almost whatever you want with Blender? What you cannot do is restrict those rights you got with the software from the people you distribute the software to, if you do.

I do not think software must be especially more expensive just because its well engineered. Its just that software developers will have to focus less on candy and useless functions and more about making the application work as planned. The planning part rarely takes place in any project before its halfway done and much if not most alterations becomes a patching nightmare.

Whats wrong with thinking long and hard about what your product should accomplish and then build it? Software is just like any other trade, it just hasnt matured because it lacks basic consumer rights and its to cheap to just flip the bird at quality control.

Software has to mature because soon enough its so entangled in our lives that we literally depend on it with our safety. We really cant go on like this.

But I'm not sure it explains the fact that Microsoft *is* spending billions of dollars producing its software, and yet the latter is still seriously flawed. It seems more a case that security isn't a high priority compared to things like flashy interfaces or DRM, largely because it never has to pay for the damage this causes, and so has no incentive to re-allocate resources.

I suspect MicroSoft (and small-time wannabies) will fight it tooth and nail - expect shady dealings galore;- If the ISO kerfluffle is any indication, MS will be forced into the position of doing something unconscionable to maintain their core business model. Unlike in the US - MS is very likely to get caught at it in the EU.

This won't affect companies who already carefully engineer their software products out of a sense of commitment to their customers. (Which is every company with their core competance focussed on any other engineering task, eg - Apple, who also write software as a component of their physical - and thus already liable - products.)

The market has already forced them to get competent or fail.

On the libre software side of this:
Fitness-for-sale and friends generally don't apply to open ended contracts - such as those between a free software project and its users. Under basic English (and thus Australian) contract law, you don't actually have a contract until after you have identified both parties, and both have exchanged consideration and agreed to be bound.

Computers these days are staggeringly reliable - but even then, they can only be as reliable as their software is. I hope this move goes ahead, as it will invalidate the enormous grey-area currently available to charlatans in the programming "industry".

Businesses (and others) seek to find ways to pass liability to other parties. Example, if product fails and the failure can be attributed to a component purchased from a 3rd party, then that 3rd party is co-liable with the end product manufacturer.

Or if a tool fails and a worked is injured as a result, the tool vendor/making can bee held liable.

While I am not saying that we should not have software liability, I am pointing out that a business, when faced with a choice between an open source package, "for free", and purchasing an equivalent package from a software vendor/publisher, is likely to choose the purchased package. This is because they will be able to sue the vendor/publisher for any problems that arise.

As for the impact on PCs, this would provide real incentive for PC vendors/manufacturers to lock their products from running an OS from any vendor/publisher they do not trust - I.E., only run an OS from a vendor they can sue.

Are the software and auto industries so different? Don't software companies regularly "recall" and "fix for free" problems with their product when they issue patches, fixes, and service packs?

The only difference, as far as I can see, is that software collections like Linux distros are infinitely more complex than the most complex auto. So, statistically, the chance that any component of a distro needs to be "recalled" (i.e., patched) is small but when you have so many independent probabilities, the frequency of patching seems much higher for software. But that's just an artifact of complexity of software and not necessarily that software is less well-built than autos.

I'll be the first around the bonfire if this spells the end of Microsoft, but I don't think it does. In fact, I'm having a hard time imagining what the beneficial effects will be. Defects in software rarely cause direct harm, unless lost time is harmful. So, what, I'm going to sue Microsoft for the fifteen minutes a day I wait while rebooting needlessly? Or Adobe for the afternoon spent fixing my wife's computer after being hacked through a Flash defect? I just don't see that happening.

And this raises a much, much bigger question... how would the industry react if they were financially responsible for software defects? I think this would be paralysing for the industry and for people wishing to code... At least commercially, I think this would be a big push to use only certified coders who use well-tested, reusable parts. Coding would universally resemble product engineering and no longer resemble coding, which would be a shame. It would become extremely costly to do business and companies would have all kinds of incentive to avoid innovation, transparency, etc.

And finally, isn't this contrary to accepted OSS philosophy? For software covered by such provisions, we can say good bye to credos like "Release early and release often" and "Given enough eyes, all bugs are shallow". (Maybe you can make some hair-splitting arguments about beta releases versus stable releases... but if that flies, then you just get systems that are perpetually in beta, like gmail, which would simply be a loophole to circumvent onerous legislation.)

To return to my auto example, I sure wish the auto industry was more like the software industry. I'd like to be able to re-skin my car and have it look new. I'd like to have parental controls (or at least logs, for goodness sake!) about what my kids are doing in my car. I'd like to be able to bolt on new equipment and new interfaces. There are a variety of reasons why these are hard or impossible, but these liability issues are part of the problem, not any kind of solution. (You could argue that I'm forgoing little, compared to whatever net safety effect liability have driven... I'd agree.)

At first gloss, I was convinced that this legislation would be a good thing but upon reflection, I fail to see how it will have much, if any, benefit and I can see pitfalls and.. most importantly... I don't see it solving the problems that, for example, Schneier brings up. And I think those are serious problems that we should be trying to fix.

Intentional attempt to add a flaw to open source should be a fine able offense.

Failure to work on secuirty flaws when resources are available should also be hit for all sides.

MS here has had know secuirty flaws sit in there code base for over 10 years. This normally does not happen with Open Source.

If a project lead of a Open Source project was found to be neglecting secuirty flaws but working on adding features that project lead needs to be hit just has hard as Microsoft.

Does it mean that every secuirty flaw has to be fixed all the time no. What is required is a top limit on how long you can put a secuirty flaw in the I don't need to fix stack before it becomes nothing more than neglect of duty. I would suspect 6 months would be more than what is needed for all Open Source projects out there. This could be a ruling covering all software development.

This is a non-issue for for most of the free software world. If the software is distributed as source code and the end user is the one who compiles it, then the end user has "modified" the code by compiling it. The software was distributed as a series of text files, not as a functioning binary. This would fall under the same liability as a book author. If I write a book about how to build a nuclear weapon, I am not liable if someone actually builds one. The only FOSS developers that would have to worry would be the GCC people. They are the only developers that would have to distribute a binary. All other software could be built by the end user, even complete Linux distros. You would be supplied with a minimal baseline Kernel, GCC and a build script. You would then compile the working Kernel and all the software. Installation would take hours, but the liability would be eliminated. I think laws like this could convert Microsoft to a FOSS company or kill them off, either outcome is OK by me.

Software and computers are not like automobiles. You cannot buy an alternator for a 64 Ford and expect it to work on a 78 Chevrolet or a 2003 Mercedes Benz. All three vehicles have alternators, but they are not interchangeable. For the analogy to work, the computer maker (such as Dell or HP) would have to have complete control over what was not only in the hardware, but the software as well. It just doesn't work.

If they push this through, you may begin to see statements like this;
"The software is guaranteed on a computer using an AMD Athlon Series X processor utilizing a ASUS series XXXX motherboard, Soundblaster Audio Card XXXX, 2GB Critical series XXX memory chips (1GB each), Windows XP Build XXXX utilizing Service Pack II and the following patches.......

This software may not work on any other system that does not use these exact specifications, and the risk is taken soley by the user for any problems, loss of data, etc."

Then if you go to court, if you don't have the exact same system as the one listed, you can't hold the software developer liable.

"Your honor, we do not have that particular system within our testing process, and so we do not know what other software will interfere with the use of our software. We have brought along a system that meets these specifications and you will see that the software works perfectly."

If you are an open-source developer, you could write in license or documentation, `This software does whatever its source code states it does'. Joe the Average User don't need to to read through code himself; there are enough geeks on his friendlist to have this covered. In spite of reeking of RTFM-ness, this approach actually is about the only honest; all other ways of documenting are simplifications, approximation and literally shuffling dirt under the rag by assuming nonexistence of bugs.

However, due to to exceptionally high complexity, and hard to predict interactions between various software and hardware components of system, you need to put strong disclaimers in place: `Unless there are faults in compiler, libraries, the underlying OS your hardware' makes any responsibility very diluted and hard to prove at best. And let's not forget about the -- very uncommon, but occurring nonetheless -- random flips of bits in memory, which may bring the system down or silently corrupt code or data in unreproducible ways, regardless of software and hardware quality.

Only actual cure for software reliability is to use simpler systems, made up of loosely coupled components, where failure of one doesn't affect others, and it's easy to re-start from previous step. It's the big, opaque, monolithic, all-encompassing application or systems that bomb and trash your data that are the most problematic. Outlaw those.

In reality all this will do is force software vendors to include additional disclaimers and restrictions in their manuals. Some examples are:

This product is only certified and fit for use with software and hardware combination's that has been tested and certified in ___ quality lab. Under all other scenario's the product is not being used as intended by the manufacture and should not be considered fit for any purpose.

This software is only certified for use on Windows XP Service Pack 3 with the patches listed below. This software is not designed for use in conjunction with any other software or any other operating system configuration. In all other configurations this software has no documented or intended functionality.

that kind of liability law would solidify the vendor lock-in position of the main players.

Essentially, Microsoft could now add "Installing or operating any non Microsoft-Certified software shall void the warranty", and take cover behind liability law to justify their lock-in.

Sure, car company have similar language for stuff like you custom stereo system... but such clause cannot reasonably shield a car manufacturer against a wheel breaking off the car or an engine blowing-off... But with software that is a whole different story. Even with a group of expert, assigning the blame would be very tricky... now image assigning that task to a judge - which is a law-expert but not a software engineer - and a group of random juror - which statistically are mostly idiots.

The danger ot that kind of law to open source (and to small software company) is not so much the liability itself, but the consequent lock in that will bare them access to the market.

In the US, the Moss-Magnussen Act covers this. The law clearly states that manufacturers are expressly prohibited from denying warranty coverage simply because, for example, non-OEM parts have been installed in/on the automobile. If the engine throws a rod whilst under warranty, the manufacturer must prove that the after-market stereo caused the engine to throw the rod. If the evidence supports this claim, then the manufacturer of the stereo is liable for the damage.

Legal liability for injuries and losses due to product failure should be extended to merchant/customer software business transactions, where the business has expressed that the software is fit for a particular purpose (analog: the repair shop has rebuilt your motor, expressing that it should be good to go for a reasonable period of time). However, it should not cover the situation where an internet acquaintance or friend downloaded some open source software for you to use to reach a goal (analog: a gearhead friend or acquaintance has helped you rebuild your motor, and you both express satisfaction with a job well done).

As someone stated, merely producing OSS should not make one liable for damages from its use. That would be akin to making the author of a book liable for medical expenses, pain and suffering for an injury due to a box of his books falling on, and breaking, a Barne's & Noble warehouse worker's foot. Liability should extend, as already stated, only to where there are merchant/customer relationships where the merchant expressed a product's suitability for a purpose and sold the product to a customer who subsequently suffered a loss because the product was really not suited for the purpose. (Did that make sense? It's a long sentence....)

I agree that software/firmware/hardware vendors should be saddled with some risk for the products they sell, just as most other manufacturers are so saddled. But I also agree that care should be taken not to stifle the innovation that comes from the OSS community.

I thought about that, but there is a very big qualitative difference between software and a car for instance.
It is quite straight forward to demonstrate that the stereo has nothing to do with the engine throwing a rod... but demonstrating that software X has no impact on the failure of software Y is a very tricky exercise.

Software are complex systems, a collection of software, interacting in more or less subtle way is incredibly complex.

Let's say you run Software X, and if segfault on you... Who are you going to blame ? software X, plugin Y1,Y2,Y3... the underlying OS, the compiler for any of these, the memory manufacturer for an uncorrected error, the hard-drive manufacturer for a silent io/errror ?
The only way for you to show a cause of action is do analyzed the failure and prove it's source....(without the source code, that could be fun), and then convince a judge, and even worse convince a group of 12 statistically idiots jurors....

Of course you can follow the car industry model and shift the burden of proof on software X, since it's the one that exhibited the failure.... Sure they have their source, it's much easier for them to do the analysis, so long has they do not have to content with plugin Yn and library Zm, etc. That would legitimized they inserting restriction in their contract about what can be run/installed concomitantly with their software.

I'll give you a practical real life example:

I bough a game called Railroad Tycoon III for MacOS. The game exhibit a display bug that make a specific section of the program quite unusable. I screen-captured the symptom and contacted the support for the software.
I've been told that this was 'a known bug in the video driver'. When asked they could/would not give a reference for the 'known bug'.

So, who do I sue ? The Game publisher, Apple , ATI ???

Another possibility would be to have a least a kind of Lemon law. If the product suffer repeated and or sustained failure, the customer should be entitled to his money back.

"(c) Prohibition on conditions for written or implied warranty;
waiver by Commission
No warrantor of a consumer product may condition his written or
implied warranty of such product on the consumer's using, in
connection with such product, any article or service (other than
article or service provided without charge under the terms of the
warranty) which is identified by brand, trade, or corporate name;
except that the prohibition of this subsection may be waived by the
Commission if -
"

Applied to Microsoft, that mean that Microsoft _could_ make firefox and opera void the warranty, since they provide IE for free
Applied to OSS, that mean that Microsdt could make oss software void the warranty, since they are not identified by brand, trade or corporate name, furthermore the Act cover bundling (the case were the manufacturer force you to buy something else than a car... it doesn't cover the attempt of the manufacturer to exclude...
In other words, a car manufacturer cannot tell you : you have to use Mobil Oil in my engine. But they CAN tell you, you have to use an Oil that has been certified for their engine.

...just eliminate (or greatly reduce) liability for any software component that comes with its complete source code, on the basis that the customer/user has the option to inspect whether it'll work in their intended application (even if many, or all, *choose* not to do so).

The state of software quality is theese days really sad. As a user its really not acceptable to have to tinker, struggle and buy upgrades to fix bugs. The software vendors only incentive right now to ship software that works more than barely is PR and reputaion. Microsoft has managed to lower the expectations on software down to "yay, it installs!".

Even if the price of software would take a really high spike the benefits in the form of more thought through and engineered software would be very high. Imagine being able to do someting and really knowing what would happen on a computer?

The current model of development where things evolve is not a model i like as a user. Atleast some planning should go into a project before someone start hacking away. I think software development sooner or later is bound to become more like engineering and less trial and error.

If comercial software gets better under the gun im convinced open source will become even better. Right now people look at for eg. debian as ancient concrete-arses when in reality they are the ones that goes right about things and the rest have their userbase as betatesters. I really really hope something like this fly because as an admin im sick and tired of mopping up after other peoples mess even if we have paid through our noses for software. Worst is when we have to pay to get things fixed through support contracts that should have been right when we bought the darn product.

Trending Topics

Upcoming Webinar

Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report

August 27, 2015
12:00 PM CDT

DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.